Home Contact Contribute CrackMonkeys Administration People Forensics Local Users FAQ
Outside Links: SecurityExchange z2e Tranceport Digital Pilgrim Mukund

This site will look much better in a browser that supports web standards, but it is accessible to any browser or Internet device. Just my personal opinion, but IE renders like a bad case of diahrea and Netscape 4.x is just as wretched..

If you aren't using Mozilla, you probably aren't seeing what should be here.

Integration of Sendmail, PostgreSQL, SASL, and TLS
June 28th, 2002

Greetings, this is a HOW-TO compendium for the integration of Sendmail using version 8.12.5, PostgreSQL, SASL, and TLS. This combination allows you to maintain the majority of your sendmail data in SQL tables for instant updates without the need to restart or signal sendmail in any fashion and for authentication/encryption. Some data remains in static text files, that's a twofold issue, 1) I haven't felt like doing it and 2) it rarely changes. One of these days I will indeed get around to making everything SQL tables. If you are familiar with SQL, this will be a breeze for you. If not, it is a learning experience. Later in this document I have provided a sample psql schema for creating a template set of tables.

http://www.pgsql.com http://www.sendmail.org http://www.sendmail.org

The two other parts which are involved here are SASL and TLS. SASL is used for login, secret, or realm based authentication, and TLS is used to encrypt the MTA session. TLS support is provided by utilizing SSL functions. The SASL login provision lets your MUA or another MTA authenticate as a valid authorized connection. This is normally used for two purposes, authorization to use the mail server and the subsequently, authorization can permit RELAY use of the server. SASL can be a bit of a hassle to understand and install, hopefully this guide will get you going in the right direction. TLS allows the session to be encrypted. No more snooping of mail as it is being delivered to the MTA.

Acknowledgment to David for nudging me into fixing some things and to Jonathan Yarden who had the first PostgreSQL patch I found. I have rewritten most of his original patch (you can find his at http://www.missing.net/). My patch implements connection caching and connection sharing which means there will at most only be one connection per sendmail child to the sql server as long as the host and connection strings match. Faster startups and faster processing with less resource consumption means happier servers.

Notes, introductory reading, and odd resources; this Blue Labs sendmail patch is CASE SENSITIVE; username 'Joe' is different from 'joe'. Edit the bluelabs.mc file if you don't want this feature. Introductory reading links -- highly recommended. This web page in no way does justice in attempting to explain much of anything. It started out as a notepad for my efforts to integrate pgsql and turned into a reference page for others. I don't attempt to address any theoretical or practical discussions about the technologies involved, only a summarized list of integration instructions.

References

  1. General email page by Claus Aßmann
  2. Sendmail Auth by Claus Aßmann
  3. Sial.org Sendmail Configurations & Documentation.
  4. Lutz's Postfix based page on being your own CA by Lutz Jänicke
  5. OpenCA
  6. Perl CGI to load certs into your browser via web
  7. Webpage for generating and loading Mozilla/Netscape based certs
  8. Webpage for generating and loading Microsoft based certs

Prerequisite Packages

Recommended Packages

Patches and related files


Compiling Steps
Getting started

The assumption is made that you have all the requisite packages, your compiler works, etc. I also assume you know how to untar, uncompress, patch, etc.

  • Obtain the above composite patch and bluelabs.mc file
  • Read over the files and my previous notes

I suggest placing the patch in /tmp and putting the sendmail source in /usr/src/sendmail-X.X.X as these are the locations I will be referencing.
Unpacking, patching

Untar sendmail source and apply the patch.

  • cd /usr/src
  • tar --use=bzip2 -xf /path/to/sendmail-8.12.5.tar.bz2
  • cd sendmail-8.12.5
  • patch -p1 < /path/to/bluelabs.patch-8.12.4
Tuning

Edit the bluelabs.mc file and any other site specific files you normally edit for your tailored configuration. Look over the bluelabs.mc and if necessary, alter your runtime parameters. In particular you need to make sure your map rules point to your pgsql server. Be sure the PROCMAIL_MAILER_PATH points to the right location for procmail or your desired local mailer. The generated sendmail.cf is designed to be generic and fit right into place without any editing and I strongly recommend against direct editing of the sendmail.cf file. All your specific domain configuration should be in the static text files and SQL tables.
Building

First compile the binaries, then build the configuration file.

  • Build -S -c -f /usr/src/sendmail-8.12.5/bluelabs.mc
  • m4 cf/m4/cf.m4 /usr/src/sendmail-8.12.5/bluelabs.mc > /tmp/sendmail.cf
    • Installation Steps
    Install files

    First you need to add the user/group pair of smmsp to /etc/passwd and /etc/group -- or whatever authentication setup you have.

    • Add the user and group 'smmsp'
    • Build install
    Directories

    For each of the following directories, create it and give it root:root ownership with mode 755 (normally default).

    • mkdir -p /etc/mail/host-status
    • mkdir -p /var/spool/mail
    • mkdir -p /var/spool/mqueue/{expensive,lmtp,local,smtp,relay}/{d,q,x}f
    • chmod 700 /var/spool/mqueue
    • chgrp -R smmsp /var/spool/mqueue/*
    • chmod g+w /var/spool/mqueue/*
    • chmod g+w /var/spool/mqueue/*/*
    Files

    Note: If you wish to collect statistics about your mail traffic, you should create the file /etc/mail/sendmail.st.

    • cd /etc/mail
    • touch local-host-names masquerade-these-as-me trusted-users sendmail-status
    • mv /tmp/sendmail.cf /etc/mail/sendmail.cf
    • touch /etc/mail/sendmail.st
    • chmod 664 /etc/mail/sendmail.st
    • chgrp smmsp /etc/mail/sendmail.st
    Configuration Steps
    Getting started

    There are four main areas of configuration, Sendmail, PostgreSQL, TLS, and SASL. I'll cover each in turn.
    Sendmail flat files
    Local domains

    Add all domains you receive mail for to /etc/mail/local-host-names. Do not add domains that you only relay for; for example, domains that do not get delivered to a local mailbox but get forwarded somewhere else, i.e. as a secondary MX service.
    Trusted users

    Add your trusted users to /etc/mail/trusted-users

    Masquerade

    If you intend to forcibly masquerade hostnames, add those host names to the /etc/mail/maquerade-these-as-me file.
      SASL
    Configuration and DB

    I will assume you installed SASL in /usr/lib/sasl. When sendmail is linked with SASL capability, it looks for a configuration file using it's name. The filename it looks for is Sendmail.conf.

    • Create or Edit /usr/lib/sasl/Sendmail.conf, add this line:
      pwcheck_method: shadow
    • Create a sasl db with saslpasswd; make users as you wish:
      1. saslpasswd -a Sendamil -c -u yourmailserver.com sendmail
      TLS
    Certificates

    I am also assuming you have previously installed OpenSSL and have a working setup. If not, please use my link above for instructions on how to install and setup an initial ssl configuration. In the certificate creation steps, be sure to specify the hostname of your mail server as the Common Name.

    • Make a new certificate. Set your Common Name to the fully qualified hostname of your mailserver and make sure the IP it is using matches forward and reverse or some mail clients will continually complain. (read MS Outlook)
      1. openssl req -config openssl.cnf -new -x509 -days 365 -keyout private/mailkey.pem -out private/mailkey.pem -nodes
    • Sign the new certificate
      1. openssl x509 -x509toreq -in private/mailkey.pem -signkey private/mailkey.pem -out request.pem
      2. openssl ca -config openssl.cnf -policy policy_anything -out certs/mailcert.pem -infiles request.pem
      3. rm request.pem
      Sendmail SQL tables in PostgreSQL
    Creating

    These steps assume you have properly installed PostgreSQL and it is currently in operation and you have granted proper host/user permissions to connect to the SQL server.

    • Create the tables using the schema provided above. If you alter the schema, be sure to modify the bluelabs.mc or sendmail.cf file to match.
      1. su - postgres
      2. createdb sendmail
      3. createuser -D -A mailadmin
      4. createuser -D -A sendmail
      5. psql -d sendmail -f bluelabs.schema
      6. psql -d sendmail -f bluelabs.pgsql.initial
    Access
    (hints)
    • If you did not accomplish step #6 above and want to do this by hand, put your local netblocks, hostnames, and locahost in at the minimum. Using any tool to edit the sql tables, enter similar to the following. To use psql, start it as user postgres; bin/psql -d sendmail mailadmin.
      1. psql> insert into access values ('localhost','RELAY');
      2. psql> insert into access values ('127.0.0.1','RELAY');
    • Now repeat this for each netblock or hostname and give it the appropriate access such as RELAY. e.g.
      1. psql> insert into access values ('mail.server.com','RELAY');

    See my page on the access table for ideas on how to utilize the available keywords.
    Aliases
    • RFC dictates that you must accept the NULL envelope sender (<>) and that you accept mail for <POSTMASTER[@domain part]>. I suggest that you also accept mail for: mailer-daemon, abuse, security, admin. I direct all my administrivia email to my account like so:
      1. psql> insert into aliases values ('MAILER-DAEMON','david');

    Make sure that if you choose case sensitive email addressing as is by default in my patch, that you also support 'mailer-daemon', etc. If you don't accept email for the required users, you are likely to end up at http://www.rfc-ignorant.org/ and your mail will be blacklisted.
    Virtualusers

    The virtualusers map lets you rewrite email addresses. You can rewrite the username, the hostname, direct all email for a given domain to a single user, or play numerous other tricks. This is a set of example rewrite rules, please read the sendmail documentation for more ideas.

    • Direct all email for david@hostA.com to david@hostb.com
      1. psql> insert into virtualusers values ('david@hostA.com','david@hostB.com');
    • Direct email for all users at domainC.com to joe@target.com
      1. psql> insert into virtualusers values ('@domainC.com','joe@target.com');
    MX Relay

    For all domains that you act as an MX relay for (secondary MX), you need to make sure that for each domain you have (a) an access rule such as 'domain.com','RELAY' in the access table, and (b) if you use wildcard MX records (e.g. one MX per domainan), then you need a mailertable entry such as 'domain.com', 'esmtp:mail.original.com' that points mail for 'domain.com' to the primary MX. If you don't do this and you use wildcard MX records, mail will bounce very fast through all the listed secondary MX records and within a minute or two will have exceeded the maximum number of hops and will be dropped.

    • Enter your psql dialog tool again
      1. psql> insert into mailertable values ('mail.domain.com','esmtp:mail.primaryrelay.com');
    Client Configuration Steps
    Mozilla and Netscape

    Edit your SMTP settings and enable the following, exact wording will vary:

    • Use name and password
    • User Name:         
    • Use secure connection (SSL)

    Here is a picture [example]
    Outlook

    DO NOT enable SPA.

    • Under Accounts->Properties->Server->Outgoing Mail Server, check My server requires authentication
    • Then click on the box right next to it labeled Settings, and choose as necessary. Again, don't enable SPA
    • Under Accounts->Properties->Advanced->Outgoing Mail, check This server requires a secure connection (SSL)
    Testing and Example Output
    No articles, software, or any item from Blue Labs Software, http://blue-labs.org/, may be copied or reproduced by Newsforge.org or Linux.com. These two sites may link only. All other sites may freely link or copy. The upper staff of these two sites are a discredit to our community. explained